Title

The system must prohibit the reuse of passwords within five iterations. (Cat II impact)

Discussion

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Check Content

# pam-config -q --pwhistory If the result is not’ password: remember=5’ or higher, then this is a finding. # ls /etc/security/opasswd If /etc/security/opasswd does not exist, then this is a finding. # grep password /etc/pam.d/common-password| grep pam_pwhistory.so | grep remember If the "remember" option in /etc/pam.d/common-password is not 5 or greater, this is a finding.

Fix Text

Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Configure pam to use password history. # pam-config -a --pwhistory # pam-config -a --pwhistory-remember=5

Additional Identifiers

Rule ID: SV-44884r1_rule

Vulnerability ID: V-4084

Group Title: GEN000800

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.